Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WD Patches Backdoor Security Flaw in My Cloud NAS Devices

A security researcher discloses full details on multiple software vulnerabilities in Western Digital's My Cloud network-attached storage devices that have now been patched.

Users of Western Digital’s My Cloud network-attached storage devices are being urged to update to the latest firmware version to protect themselves against a series of security issues, including a built-in backdoor vulnerability.

On Jan. 4, security researcher James Bercegay at GulfTech Research and Development publicly disclosed the WD My Cloud vulnerability. According to Bercegay, he responsibly reported the security issues to WD in June 2017.

"WD—Western Digital—is aware of the previously reported security vulnerabilities related to the My Cloud products," WD wrote in a statement sent to eWEEK. "These had been disclosed by a security researcher directly with our team in 2017 and critical issues were addressed in 2017 with firmware update v2.30.172."

Further reading

Among the issues discovered by Bercegay is a hard-coded backdoor that includes a default username and password. Bercegay warned in his advisory that the backdoor could be remotely exploited and used to create a spreading worm virus. The Mirai internet of things (IoT) botnet that impacted organizations around the world at the end of 2016 was made up of vulnerable devices that had known usernames and passwords.

"Users locked to a LAN are not safe either," Bercegay warned. "An attacker could literally take over your WD MyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc."

Bercegay also noted that WD My Cloud was at risk from an unrestricted file update vulnerability that could have enabled an attacker to put arbitrary files on a vulnerable WD device.

This isn't the first time that WD has had to patch for security issues on its WD My Cloud devices. In March 2017, a security researcher known as "Zenofex" working as part of the security group Exploiteers disclosed command injection vulnerabilities in WD My Cloud. Bercegay also found command injection as part of his own research.

"By now I feel that the manufacturer should know better, considering they just went through the process of patching many command injection vulnerabilities disclosed by the Exploiteers," Bercegay wrote in his advisory.

Tony Hart, chief architect at Corero Network Security, told eWEEK that the biggest surprise with the WD security disclosure is that IoT device manufacturers still do not keep security implications top of mind when bringing technologies to market.

"The existence of default and generic admin username and password hardcoded into the binary in the My Cloud Storage device makes access and exploitation very trivial," Hart said.

What Should Users Do?

There are several things that users can do to help mitigate the risk of security issues in WD's NAS devices. WD regularly updates the firmware for its devices to fix stability as well as security issues.

"We urge customers to ensure the firmware on their products is always up to date; enabling automatic updates is recommended," WD stated.

"Western Digital works continuously to improve the capability and security of our products, including with the security research community to address issues they may uncover," WD stated. "We encourage responsible disclosure by customers and researchers to ensure our customers are protected while we address valid vulnerabilities."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.